In an exemplary method implementation, a method includes: designating a neighborhood administrator; receiving notification of a delinquent router from the designated neighborhood administrator; and excluding the delinquent router responsive to the notification. In an exemplary mesh router implementation, a mesh router is capable of establishing a wireless mesh network with other mesh routers, the mesh router is further capable of designating a neighborhood administrator mesh router; and the mesh router is adapted to exclude another mesh router that is associated with a particular certificate when the particular certificate has been identified as delinquent by the designated neighborhood administrator. mesh router.
|
19. One or more processor-accessible computer storage media comprising processor-executable instructions that, when executed, direct a device to perform actions comprising:
storing a mesh-router-producing-entity-issued certificate of a plurality of certificates issued by a mesh-router-producing entity, the stored certificate comprising a name, a signature, and a public key, wherein the name corresponds to a name of a mesh router, the signature corresponds to an authentication by the mesh-router-producing entity, and the public key certifying that the mesh-router-producing-entity-issued certificate is bound to the name of the mesh router;
initializing by designating at least one other mesh router as a single neighborhood administrator, the initialized designated neighborhood administrator offering to be the neighborhood administrator, deciding whether to exclude a delinquent mesh router certificate;
granting, by the single neighborhood administrator, access to a network to mesh routers that possess at least one of the plurality of certificates issued by the mesh-router-producing entity;
receiving the delinquent mesh router certificate and notification of the associated delinquent mesh router from the single neighborhood administrator, the delinquent mesh router certificate comprising a name of the delinquent mesh router, the notification being signed by the single neighborhood administrator to authenticate the notification, and a public key corresponding to the delinquent mesh router; and
excluding the delinquent mesh router certificate responsive to the authenticated notification received from the designated neighborhood administrator.
14. A mesh router that is capable of establishing a wireless mesh network with other mesh routers, the mesh router further capable of designating at least one other mesh router as a single neighborhood administrator, the neighborhood administrator deciding whether to exclude a delinquent mesh router certificate;
the mesh router comprising at least one processor and one or more media configured to store a mesh-router-producing-entity-issued certificate of a plurality of certificates issued by a mesh-router-producing entity, the stored certificate comprising a name, a signature, and a public key, wherein the name corresponds to a name of the mesh router, the signature corresponds to an authentication by the mesh-router-producing entity, and the public key certifying that the mesh-router-producing-entity-issued certificate is bound to the name of the mesh router and configured to store processor-executable instructions capable of being executed by the at least on processor;
the mesh router designated as the single neighborhood administrator configured to grant other mesh routers that possess at least one of the plurality of certificates issue by the mesh-router-producing entity, access to the wireless mesh network;
the mesh router configured to exclude another mesh router that is associated with a particular certificate when the particular certificate has been identified as delinquent and sent by the designated neighborhood administrator;
wherein the particular certificate that is associated with the another mesh router comprises a name of the another mesh router, a signature created by a producing entity, and a public key corresponding to the another mesh router.
22. A system for implementing an exclusion capability, the system comprising:
coupling means for communicatively coupling a mesh router with one or more other mesh routers on a network;
storing means for storing a mesh-router-producing-entity-issued certificate of a plurality of certificates issued by a mesh-router-producing entity, the stored certificate comprising a name, a signature, and a public key, wherein the name corresponds to a name of the mesh router, the signature corresponds to an authentication by the mesh-router-producing entity, and the public key certifying that the mesh-router-producing-entity-issued certificate is bound to the name of the mesh router and processor-executable instructions capable of being executed by the at least one processor;
designation means for designating at least one other mesh router as a single neighborhood administrator, the neighborhood administrator deciding whether to exclude a delinquent mesh router certificate;
granting means for granting access to the network to mesh routers that possess at least one of the plurality of certificates issued by the mesh-router-producing entity;
detection means for detecting the delinquent mesh router of the one or more mesh routers of the network and deciding whether to exclude the delinquent mesh router certificate associated with the delinquent mesh router, the delinquent mesh router certificate comprising a name of the delinquent mesh router, a signature created by a producing entity, and a public key corresponding to the delinquent mesh router;
receiving means for receiving the delinquent mesh router certificate and a notification of an associated delinquent mesh router from the designated neighborhood administrator; and
exclusion means for excluding the delinquent mesh router responsive to the notification and based on the delinquent mesh router certificate associated with the delinquent mesh router, the delinquent mesh router certificate comprising the name of the delinquent mesh router, the signature created by a producing entity, and the public key corresponding to the delinquent mesh router.
1. A mesh router comprising:
at least one processor;
a network interface configured to communicatively couple the mesh router with one or more other mesh routers on a network; and
one or more media configured to store a mesh-router- producing-entity-issued certificate of a plurality of certificates issued by a mesh-router-producing entity, the stored certificate comprising a name, a signature, and a public key, wherein the name corresponds to a name of the mesh router, the signature corresponds to an authentication by the mesh-router- -producing entity, and the public key certifying that the mesh-router-producing-entity-issued certificate is bound to the name of the mesh router and configured to store processor-executable instructions capable of being executed by the at least one processor, the processor-executable instructions configured to direct the router to perform actions comprising:
initializing by designating the mesh router to be a single neighborhood administrator, the designated neighborhood administrator offering to be the neighborhood administrator and being designated by at least one other mesh router of the one or more other mesh routers on a network,
granting, by the designated neighborhood administrator, access to the network to mesh routers that possess at least one of the plurality of certificates issued by the mesh-router-producing entity;
detecting a delinquent mesh router of the one or more mesh routers of the network and deciding whether to exclude a delinquent mesh router certificate associated with the delinquent mesh router, the delinquent mesh router certificate comprising a name of the delinquent mesh router, a signature created by a producing entity, and a public key corresponding to the delinquent mesh router;
receiving the delinquent mesh router certificate and notification of the associated delinquent mesh router from the designated neighborhood administrator, the notification being signed by the designated neighborhood administrator to authenticate the notification; and
excluding the delinquent mesh router responsive to the authenticated notification based on the associated delinquent mesh router certificate;
wherein the router comprises a mesh router that effectively treats the associated delinquent mesh router certificate as being revoked and/or invalid based on the authenticated notification from the designated neighborhood administrator even when the associated delinquent mesh router certificate is issued and authenticated by an entity other than the designated neighborhood administrator.
6. A method for implementing an exclusion capability, the method comprising:
communicatively coupling a mesh router with one or more other mesh routers on a network;
storing a mesh-router-producing-entity-issued certificate of a plurality of certificates issued by a mesh-router producing entity, the stored certificate comprising a name, a signature, and a public key, wherein the name corresponds to a name of the mesh router, the signature corresponds to an authentication by the mesh-router-producing entity, and the public key certifying that the mesh-router-producing-entity-issued certificate is bound to the name of the mesh router and configured to store processor-executable instructions capable of being executed by at least one processor;
initializing by designating by at least one other mesh router a single designated neighborhood administrator amongst a plurality of mesh routers of a network;
granting, by the designated neighborhood administrator, access to the network to mesh routers that possess at least one of the plurality of certificates issued by the mesh-router-producing entity;
detecting a delinquent mesh router of the one or more mesh routers of the network and deciding whether to exclude a delinquent mesh router certificate associated with the delinquent mesh router, the delinquent mesh router certificate comprising a name of the delinquent mesh router, a signature created by a producing entity, and a public key corresponding to the delinquent mesh router;
receiving the delinquent mesh router certificate and a notification of the associated delinquent mesh router from the designated neighborhood administrator, the notification being signed by the designated neighborhood administrator to authenticate the notification; and
excluding the delinquent mesh router responsive to the authenticated notification based on the associated delinquent mesh router certificate;
wherein the receiving comprises receiving an identification of a certificate that is associated with the delinquent mesh router, the certificate comprising a name of the delinquent mesh router, a signature created by a producing entity, and a public key corresponding to the delinquent mesh router and further wherein the router comprises a mesh router that effectively treats the associated delinquent mesh router certificate as being revoked and/or invalid based on the authenticated notification from the designated neighborhood administrator even when the associated delinquent mesh router certificate is issued and authenticated by an entity other than the designated neighborhood administrator.
2. The mesh router as recited in
3. The mesh router as recited in
4. The mesh router as recited in
mapping an exclusion indication in the data structure to at least one of (i) the associated delinquent certificate and (ii) an identifier of the delinquent router.
5. The mesh router as recited in
7. The method as recited in
receiving an offer from a node to be the neighborhood administrator; and
designating the node to be the neighborhood administrator by at least one other mesh router.
8. The method as recited in
9. The method as recited in
10. The method as recited in
11. The method as recited in
12. The method as recited in
13. The method as recited in
15. The mesh router as recited in
16. The mesh router as recited in
17. The mesh router as recited in
18. The mesh router as recited in
20. The one or more processor-accessible computer storage media as recited in
receiving the notification wherein the notification identifies the delinquent mesh router certificate such that a mesh router that is associated with the delinquent mesh router certificate can be determined directly from the delinquent mesh router certificate and from a stored data structure.
21. The one or more processor-accessible computer storage media as recited in
mapping an exclusion indication to at least one of the delinquent mesh router certificate and an identifier of a mesh router that is associated with the delinquent mesh router certificate.
23. The system as recited in
refusal means for refusing to forward packets that are authenticated by the delinquent router and/or for refusing to perform an authentication key exchange protocol with the delinquent mesh router.
25. The system as recited in
|
This disclosure relates in general to mesh networks and in particular, by way of example but not limitation, to enabling the exclusion of a delinquent mesh router from a mesh network.
Wireless networks are increasingly used for the communication of both voice and data. Such wireless communication is effectuated by propagating a wireless signal from a transmitter to a receiver, each of which may constitute a node of a wireless network. Nodes in a traditional cellular wireless network, for example, include fixed base stations and mobile stations. Mobile stations access the cellular wireless network via the fixed based stations. The base stations are operated by a network service provider that designs the cellular wireless network and is capable of controlling access to and/or employing security measures in the wireless network. In other words, a single entity operates multiple base stations on a large-scale basis and can therefore provide a degree of organization and a measure of security, as well as a level of overall network management for the cellular wireless network.
Other types of wireless networks, such as spontaneous wireless networks, do not ordinarily entail such large-scale planning, organization, or management. For example, ad hoc wireless networks are created by multiple devices that mutually decide to join together to form nodes of a wireless network, generally without prior or subsequent explicit agreement among owners of the multiple devices. Hence, there is no overarching operator or other entity to enforce network access rules, handle security issues, monitor standards-based requirements, or guarantee generally-accepted wireless network behavior. Legitimate and illegitimate participants of such ad hoc networks can therefore act carelessly, indiscriminately, or even maliciously without being subject to significant restraints or any real repercussions.
Accordingly, there is a need for schemes and/or techniques that can introduce a degree of control and/or accountability into spontaneously-formed wireless networks.
In an exemplary method implementation, a method includes: designating a neighborhood administrator; receiving notification of a delinquent router from the designated neighborhood administrator; and excluding the delinquent router responsive to the notification. In an exemplary mesh router implementation, a mesh router is capable of establishing a wireless mesh network with other mesh routers, the mesh router is further capable of designating a neighborhood administrator mesh router; and the mesh router is adapted to exclude another mesh router that is associated with a particular certificate when the particular certificate has been identified as delinquent by the designated neighborhood administrator mesh router. In an exemplary media implementation, one or more processor-accessible media include processor-executable instructions that, when executed, direct a device to perform actions including: receiving notification of a delinquent mesh router certificate from a neighborhood administrator as designated by the device, the delinquent mesh router certificate signed by an entity other than the neighborhood administrator; and excluding the delinquent mesh router certificate responsive to the notification received from the neighborhood administrator.
Other method, system, approach, apparatus, router, device, media, procedure, arrangement, etc. implementations are described herein.
The same numbers are used throughout the drawings to reference like and/or corresponding aspects, features, and components.
As illustrated, five mesh routers 102(A), 102(B), 102(C), 102(D), and 102(E) form the mesh router network so as to realize at least a portion of a multi-hop wireless network. However, two or more mesh routers 102 (possibly tens, hundreds, thousands, etc.) may form the mesh router network. Each mesh router 102 is capable of communicating wirelessly using, for example, a wireless transmitter and/or receiver (e.g., a transceiver).
Mesh router 102(A) has a wireless link 108AB with mesh router 102(B) and a wireless link 108AD with mesh router 102(D). Mesh router 102(B) additionally has wireless links 108BC and 108BE with mesh routers 102(C) and 102(E), respectively. Similarly, mesh router 102(C) is also in wireless communication with mesh router 102(E) over wireless link 108CE, and mesh router 102(E) is also in wireless communication with mesh router 102(D) over wireless link 108DE.
Although each mesh router 102 is illustrated as being in wireless communication with from one to three end devices 104, each may alternatively be in communication with any number of end devices 104. Mesh router 102(A) is in wireless communication with two end devices 104(A1) and 104(A2) over wireless links 110(A1) and 110(A2), respectively. Mesh router 102(B) is in wireless communication with one end device 104(B1) over wireless link 110(B1). Mesh router 102(C) is in wireless communication with two end devices 104(C1) and 104(C2) over wireless links 110(C1) and 110(C2), respectively. Similarly, mesh router 102(E) has wireless links 110(E) with three end devices 104(E1), 104(E2), and 104(E3). Mesh router 102(D) has wireless links 110(D1) and 110(D2) to two end devices 104(D1) and 104(D2), respectively.
In a described implementation, mesh routers 102 comprise a relatively standard set of devices from an operational perspective. For example, each mesh router 102 may have similar (or even identical) hardware and/or software. The hardware is capable of wireless communication and of executing the software (including firmware).
Mesh routers 102 are designed and/or manufactured by an entity to have at least a baseline set of interoperable capabilities. For example, a first production may result in identical mesh routers 102 from both a hardware and a software perspective for a first version. Available (e.g., software including firmware) upgrades may result in second and subsequent versions that offer optional additional capabilities. A second production may result in mesh routers 102 of later versions that differ from previous versions but are still backwards compatible. In short, the entity producing mesh routers 102 has some measure of determination regarding the hardware and software components thereof.
In contradistinction, end devices 104 comprise a relatively diverse set of devices that may have arbitrary hardware and software with haphazard operational capabilities. Each of end devices 104 may be a laptop, a mobile phone, a personal digital assistant (PDA), a home computer, an entertainment or other appliance, and so forth. End devices 104 may be executing any of a variety of operating systems, applications, managed program coding, and so forth. While otherwise diverse, such end devices 104 are capable of accessing wireless mesh network 100 using an accepted protocol via a mesh router 102.
An entity that is producing mesh routers 102 creates them such that a stable and predictable mesh router network is relatively automatically established. The stability and predictability of the wireless mesh router network is, of course, limited by the vagaries of wireless communication as impacted by distance between transmitter and receiver, interference, changes to the wireless medium, and so forth. Nevertheless, when a mesh router 102 is activated, it attempts to join a wireless mesh network 100 by communicating with any mesh routers 102 that are in range. Establishing wireless mesh network 100 is described further below with particular reference to
End devices 104, on the other hand, may be capable of practically arbitrary and/or systematic malicious actions because their operational capabilities are not centrally controlled. However, the actions of end devices 104 can be curtailed to some extent because end devices 104 connect to wireless mesh network 100 through a mesh router 102, as indicated by wireless links 110. It should be noted that the wireless access protocols governing (i) wireless links 110 for end device 104-to-mesh router 102 communications and (ii) wireless links 108 for intra-mesh router 102 communications may be the same or different.
By way of example, if end device 104(A1) is attempting to send a communication to end device 104(C1), end device 104(A1) transmits the communication to mesh router 102(A) over wireless link 110(A1). Mesh router 102(A) routes the communication to mesh router 102(C) via mesh router 102(B) or mesh routers 102(D) and 102(E). Mesh router 102(C) then transmits the communication over wireless link 110(C1) to end device 104(C1).
As illustrated, end device 104(C1) comprises a resource 106(C1). Although only one resource 106 is shown, multiple resources 106 may be present in wireless mesh network 100 at the same or different mesh router(s) 102. Each resource 106 may be, for example, a local server or repository of information (e.g., for a subdivision), an Internet access point (ITap), a collection of multimedia data (e.g., that is of interest to a small community), and so forth.
In a described implementation for mesh router 102(A), the producing entity is associated with a signing key (not shown) and root key 208 that together form a public-private key pair for the producing entity. The producing entity signs certificate 202(A) with the private signing key to create signature 212(A) by performing an operation on name-A 210(A). Certificate 202(A) certifies that public key 204(A) is bound to name-A 210(A), which is the name of mesh router 102(A). Name-A 210(A) may be, for example, a serial number of mesh router 102(A).
Certificate 202(A) represents that mesh router 102(A) is a valid mesh router 102 that is certified by the producing entity associated with root key 208. Certificate 202(A) therefore indicates that mesh router 102(A) should be allowed to join wireless mesh network 100 (of
In short, each mesh router 102 “ships” with an associated certificate 202. Hence, mesh router “B” 102(B) includes a certificate 202(B), and mesh router “C” 102(C) includes a certificate 202(C). Certificate 202(B) includes name-B 210(B), signature 212(B), and public key 204(B) to indicate that mesh router 102(B) is a valid mesh router 102 from the producing entity and that it is bound to the private key 206(B) that corresponds to public key 204(B). Likewise, certificate 202(C) includes name-C 210(C), signature 212(C), and public key 204(C) to indicate that mesh router 102(C) is a valid mesh router 102 from the producing entity and that it is bound to the private key 206(C) that corresponds to public key 204(C).
When a mesh router 102 is activated, it attempts to contact other mesh routers 102 to establish (e.g., join) a wireless mesh network 100. When an activated mesh router 102 contacts another mesh router 102, the activated mesh router 102 and the other mesh router 102 perform an authentication/key exchange protocol. The two mesh routers 102 exchange certificates to indicate to each other that each is a valid mesh router 102 from the producing entity via a signature verification procedure using root key 208.
One or both mesh routers 102 then use the public key 204 of the other to establish a secret symmetric key that only the activated mesh router 102 and the other mesh router 102 share. The secret key may be established via a key transfer procedure or a key agreement procedure. The shared secret key is then used to authenticate each mesh router 102 to the other. The shared secret key may also be used to ensure confidentiality of information in a communication between the two mesh routers 102.
By way of example with mesh router 102(A), after being activated, it looks for and finds other mesh routers 102 that are in range and that are potential neighbors. With respect to mesh router 102(B), mesh routers 102(A) and 102(B) exchange certificates 202(A) and 202(B). After a secret key establishment procedure, key AB 214 is created and shared between mesh routers 102(A) and 102(B).
At mesh router 102(A), key AB 214(A) is stored in association with/mapped to mesh router “B”. These mesh router-key mappings may be stored, for example, in a data structure. At mesh router 102(B), key AB 214(B) is stored in association with/mapped to mesh router “A”. Key AB 214 may be used to authenticate mesh router 102(A) to mesh router 102(B), and vice versa, as well as optionally to ensure confidentiality of communication contents via encryption.
Likewise, mesh routers 102(A) and 102(C) exchange certificates 202(A) and 202(C). After a secret key establishment procedure, key AC 216 is created and shared between mesh routers 102(A) and 102(C). Key AC 216(A) is mapped to mesh router “C” at mesh router 102(A), and key AC 216(C) is mapped to mesh router “A” at mesh router 102(C). This authentication/key exchange protocol and key establishment procedure between mesh routers 102(A) and 102(C) may occur over the mesh router network portion of wireless mesh network 100 (e.g., via one or more mesh routers 102 such as mesh router 102(B)) even when mesh routers 102(A) and 102(C) are not within wireless range of each other. Similarly, after an exchange of certificates 202(B) and 202(C) and a secret key establishment procedure, key BC 218 is created and shared between mesh routers 102(B) and 102(C). Key BC 218(B) is mapped to mesh router “C” at mesh router 102(B), and key BC 218(C) is mapped to mesh router “B” at mesh router 102(C).
Because packet 302 is being sent to mesh router 102(B) from mesh router 102(A), mesh router 102(A) looks up mesh router “B” in a data structure (e.g., a table) and ascertains the secret key that is shared between them. In this example, the shared secret key that mesh router 102(A) retrieves is key AB 214(A). Mesh router 102(A) therefore uses key AB 214(A) to create MAC-AB 302(AB). MAC-AB 302(AB) is then tagged onto packet 302 prior to transmission. Upon reception of packet 302, mesh router 102(B) accesses its secret key data structure at an entry for mesh router “A” to retrieve the shared secret key that is mapped thereto, which is key AB 214(B). Mesh router 102(B) uses key AB 214(B) along with MAC-AB 302(AB) to authenticate that packet 302 was sent from mesh router 102(A), which is a valid and uncompromised mesh router 102.
In this example, packet 302 is ultimately destined for resource 106(C1) at end device 104(C1), which is coupled to (and may be considered part of) wireless mesh network 100 at mesh router 102(C). Mesh router 102(B), having a routing capability for wireless mesh network 100, determines that packet 302 is to be sent to mesh router 102(C). Mesh router 102(B) therefore ascertains that key BC 218(B) is mapped to mesh router “C” and utilizes key BC 218(B) to create MAC-BC 302(BC). MAC-BC 302(BC) is tagged onto packet 302 and transmitted to mesh router 102(C). Mesh router 102(C) uses its stored key BC 218(C) to authenticate that packet 302 is received from a known and trusted mesh router 102(B).
Authentication is thusly performed on a hop-by-hop basis. Confidentiality (e.g., via encryption) of the information contents of a communication may also be performed on a hop-by-hop basis with each communication being encrypted by the shared secret key of each pair of adjacent mesh routers 102. Alternatively, encryption may be performed on an end-to-end basis. For example, because mesh routers 102(A) and 102(C) established a shared secret key AC 216, the contents of packet 302 may be encrypted using key AC 216. Consequently, intervening mesh routers 102 such as mesh router 102(B) are not able to understand the contents of packet 302 as it is routed through wireless mesh network 100 with end-to-end encryption.
As illustrated in
In a described implementation, mesh router 102(C) presents or offers itself as a neighborhood administrator 404 for a number of mesh routers 102 in wireless mesh network 100. Each mesh router 102 has a personal administrator (not shown) such as the owner thereof that manages the functioning of the respective mesh router 102 within the confines (hopefully) of permitted capabilities originally provided and enabled by the producing entity.
Each personal administrator of a mesh router 102 may select for designation a neighborhood administrator. Although not so illustrated in
In the example of
In a described implementation, delinquent behavior includes, but is not limited to: (i) transmitting at more than an allowed rate; (ii) attempting to send more than a maximum number of allowed packets over the mesh network in a given time period; (iii) refusing to communicate with a valid mesh router; (iv) dropping, including not forwarding, legitimate packets; (v) launching attacks against the network; (vi) a combination thereof; and so forth. Optionally, a local neighborhood and/or neighborhood administrator may selectively determine activities that qualify as delinquent, especially from among a list promulgated by the producing entity. A delinquent mesh router may be discovered using, for example, secure trace route, physical measurement, traffic flow monitoring, specialized mesh management tools (e.g., statistical analysis), notifications from other neighborhood administrators, some combination thereof, and so forth.
In the example illustrated in
The producing entity originally issued certificate 202(A) to indicate the validity of mesh router 102(A) and to bind the public-private key thereof thereto. However, the exclusion of certificate 202(A) causes mesh router 102(C) (i) to consider certificate 202(A) to be invalid for wireless mesh network 100 purposes and (ii) to refuse to route traffic from the associated mesh router 102(A).
Mesh router 102(C) as neighborhood administrator 404 has an ability, if not a responsibility, to propagate the exclusion determination to mesh routers 102 in its neighborhood. Mesh router 102(C) broadcasts exclusion message 504 to mesh routers 102 in its neighborhood. Exclusion message—mesh router A 504 includes an identifier of mesh router 202(A) and/or certificate 202(A). This identifier includes, for example, name—A 210(A) (of
As illustrated in
If a shared secret key has already been established with mesh router 102(A) prior to receipt of exclusion message—mesh router A 504, then the shared secret key may be disregarded in the future. For example, at exclusion indications 502(B) and 502(D), key AB 214(B) and key AD 402(D) may be rendered irrelevant. Optionally, if such keys are not to be subsequently used e.g. for tracking purposes, key AB 214(B) and key AD 402(D) may be deleted.
As represented by the truncated wireless links 108AB and 108AD, mesh router 102(A) is excluded from the neighborhood for which mesh router 102(C) is the neighborhood administrator 404. For example, if mesh router 102(B) receives a packet 302 that is tagged with MAC-AB 302(AB), mesh router 102(B) refuses to route packet 302 any further (either to another mesh router 102 or end device 104(B1)).
If, on the other hand, a shared secret key has not already been established with mesh router 102(A) prior to receipt of exclusion message—mesh router A 504, then the exclusion indication may be mapped to an identifier of mesh router 102(A) and/or certificate 202(A), if provided in the message. This identifier may be name—A 210(A) (of
At block 702, neighborhood administrator status is established. For example, mesh router “C” 102(C) may offer to be a neighborhood administrator 404, and at least one other mesh router 102 designates mesh router “C” 102(C) as the neighborhood administrator 404. An owner of a valued resource 106, for instance, may offer its mesh router 102 as a neighborhood administrator 404.
At block 704, a delinquent mesh router is detected. For example, it may be detected that mesh router 102(A) is delinquent through one or more of the above-described mechanisms. At block 706, neighborhood mesh routers are notified of the delinquent mesh router.
For example, mesh router “C” 102(C) may broadcast an exclusion message—mesh router A 504 that identifies mesh router 102(A), such as by including certificate 202(A) in the message. Exclusion message—mesh router A 504 may be sent over wireless mesh network 100 or through some out-of-band avenue.
With respect to mesh router “B” 102(B), a neighborhood administrator is designated by the mesh router at block 708. For example, mesh router “B” 102(B) may designate mesh router “C” 102(C) as its designated neighborhood administrator 406B. The communication exchange that effectuates this designation informs mesh router “C” 102(C) that mesh router “B” 102(B) has joined its neighborhood. As a result, exclusion notifications that are provided (e.g., transmitted) by mesh router “C” 102(C) are targeted to mesh router “B” 102(B).
At block 710, the mesh router receives notification of a delinquent mesh router from the designated neighborhood administrator. For example, mesh router “B” 102(B) may receive exclusion message—mesh router A 504, which identifies certificate 202(A) of mesh router 102(A), from mesh router “C” 102(C). The exclusion message—mesh router A 504 may be signed by mesh router “C” 102(C) so that mesh router “B” 102(B) can authenticate that the exclusion notification originated from its designated neighborhood administrator 404.
At block 712, the mesh router excludes the identified delinquent mesh router based on the certificate that is associated with the identified delinquent mesh router. For example, mesh router “B” 102(B) may refuse to communicate with mesh router 102(A), including refusing to forward or otherwise route packets that are authenticated with certificate 202(A) or a secret key established therewith.
Certificate 202(A) is issued for mesh router 102(A) by the producing entity of mesh routers 102. Mesh router 102(C) notifies mesh router 102(B) of the exclusion status of certificate 202(A). Mesh router 102(B) consequently excludes certificate 202(A) based on this notification. This exclusion affects mesh router 102(A) or any mesh router 102 attempting to present certificate 202(A) as an indication of validity and trustworthiness. Thus, mesh router 102(B) effectively treats certificate 202(A) as being revoked and/or invalid based on notification from a non-issuing entity, namely mesh router 102(C), that has been designated by mesh router 102(B) to have this exclusion authority.
As shown in
In a described implementation, mesh router 102(C) is the established neighborhood administrator 404 for a given neighborhood. The neighborhood of mesh router 102(C) includes mesh router 102(B), mesh router 102(E), mesh router 102(D) (e.g., of
Forming a neighborhood is one approach to enabling implementation of the above-described exclusion capability. Neighborhood formation also enables another kind of cooperation between and among mesh routers 102 of a given neighborhood. For example, privileged access may be given by mesh routers 102 to end devices 104 that are affiliated with other mesh routers 102 of the same neighborhood.
In a described implementation, end devices 104 are granted access to wireless mesh network 100 (e.g., of
End device 104(B1) is affiliated with mesh router 102(B). For example, a personal administrator of mesh router 102(B) may know or actually be the owner of end device 104(B1). Accordingly, the personal administrator may want end device 104(B1) to be entitled to preferred access to wireless mesh network 100 at least through mesh router 102(B). To provide end device 104(B1) with evidence of this affiliation, mesh router 102(B) issues a certificate 202(B1) that is signed by certificate 202(B) to end device 104(B1).
In other words, end device 104(B1) is issued and associated with certificate 202(B1) as signed by certificate 202(B). Hence, a name of certificate 202(B1) identifies end device 104(B1). A public key of certificate 202(B1) corresponds to a private key, with the resulting public-private key pair being associated with end device 104(B1). A signature of certificate 202(B1) is produced by a private key operation using private key 206(B) (of
Certificates issued to end devices 104, such as certificate 202(B1), may be issued with an expiration date because they are likely less secure than certificates issued to mesh routers 102, such as mesh router 102(B), by the producing entity. Mesh router 102(B) may also delegate certificate-issuing authority to end device 104(B1). End device 104(B1) can subsequently issue additional certificates 202 to other end devices 104 to create a certificate chain. The certificate chain may be used for demonstrating end device 104 affiliation and securing recognition from non-affiliated mesh routers 102.
If a personal administrator of a given mesh router 102 learns that a particular end device certificate 202 issued by its given mesh router 102 is suspect (e.g., because the associated end device 104 is compromised), the personal administrator or given mesh router 102 thereof requests that the suspect end device certificate 202 be excluded. This request is made to the neighborhood administrator 404, which can then broadcast an exclusion notification message that identifies the suspect end device certificate 202.
End device 104(B1) can use certificate 202(B1) along with certificate 202(B) to demonstrate that it is also entitled to preferred access with non-affiliated mesh routers 102 that are in the neighborhood of mesh router 102(C). This may occur, for example, if mesh router 102(B) is non-functional and/or if end device 104(B1) moves out of range of mesh router 102(B). For instance, end device 104(B1) may move into range of mesh router 102(E).
Mesh router 102(E) includes a data structure 902 that lists or enumerates mesh routers 102 that are neighborhood members. In this example, the enumerated neighborhood members are those mesh routers 102 that have designated mesh router 102(C) as their neighborhood administrator at 406B, 406E, etc. Data structure 902 lists mesh router “B” [102(B)]; mesh router “C” [102(C)], which may be identified as the neighborhood administrator (NA); mesh router “D” [102(D)]; and so forth.
Data structure 902 may be part of and/or include other data structures, such as those data structures that store shared secret keys, those that store exclusion indications, and so forth. Although not so illustrated in
In operation, end device 104(B1) and mesh router 102(E) set up wireless link 110(E/B1) therebetween. End device 104(B1) provides mesh router 102(E) with certificate 202(B) and certificate 202(B1). Based on certificate 202(B), mesh router 102(E) accesses data structure 902 to ascertain if the named mesh router, mesh router 102(B), is a member of the neighborhood of mesh router 102(C) to which mesh router 102(E) belongs. If data structure 902 includes mesh routers 102 that have been excluded, then mesh router 102(E) also checks to ensure that mesh router 102(B) has not been excluded.
Because mesh router 102(B) is a member of the neighborhood of mesh router 102(C) and is thus listed in neighborhood members data structure 902, mesh router 102(E) analyzes certificate 202(B). If mesh router 102(E) and mesh router 102(B) have previously performed a certificate exchange/key establishment procedure and if mesh router 102(E) stored a copy of certificate 202(B), mesh router 102(E) may merely compare the stored copy of certificate 202(B) to the copy of certificate 202(B) provided by end device 104(B1) to ensure the legitimacy of certificate 202(B). If not, then mesh router 102(E) performs a signature verification procedure on certificate 202(B) using its stored root key 208(E) (not explicitly illustrated) to validate certificate 202(B).
After mesh router 102(E) ascertains that mesh router 102(B) is a member of the same neighborhood and that the presented certificate 202(B) is legitimate/valid, mesh router 102(E) analyzes certificate 202(B1). Certificate 202(B1) is analyzed to ensure that certificate 202(B1) was issued by the mesh router 102(B) that is associated with certificate 202(B). Thus, mesh router 102(E) uses public key 204(B) of certificate 202(B) to perform a signature verification procedure on the signature of certificate 202(B1) to verify that the signature of certificate 202(B1) was signed by the corresponding private key 206(B) of neighborhood member mesh router 102(B).
If this signature verification procedure is successful, then mesh router 102(E) has determined that certificate 202(B1) is valid and that end device 104(B1) is affiliated with mesh router 102(B), which is a neighborhood member of the neighborhood of mesh router 102(C). Consequently, mesh router 102(E) grants end device 104(B1) preferred access instead of standard access. Mesh router 102(E) and end device 104(B1) may also perform a key establishment procedure to establish a shared secret key for authenticating/encrypting communications between the two nodes.
Privileged status relates to level of service such as being entitled to preferred access instead of merely standard access. Preferred access versus standard access may respectively comprise a faster data rate versus a slower data rate, a guaranteed throughput versus a best effort throughput, a higher priority for transmission/reception versus a lower priority for transmission/reception, some combination thereof, and so forth. Levels of service may also include more than two different levels of service/status.
It should be noted that preferred access versus standard access (or a greater number of different levels of service) for communicated traffic may be honored throughout wireless mesh network 100 by tagging traffic. For example, routers 102 can tag their transmitted packets by their individually determined classification (e.g., as “standard access rate” or “preferred access rate”). As a result, differences in packet classification can be respected throughout wireless mesh network 100, instead of merely at the router 102 where an end device 104 introduces the packets into wireless mesh network 100 and where the classification determination is made.
This exemplary recognition mechanism therefore enables an end device 104(B1) that is affiliated with a particular mesh router 102(B) to be specially recognized by other mesh routers 102 that are members of the same neighborhood, which is administered by mesh router 102(C). As a result, peers (e.g., mesh routers 102) of a first tier can issue certificates 202 hierarchically to a second different tier (e.g., to end devices 104) that are recognized by other peers of the first tier.
At block 1004, an end device connects with an affiliated mesh router. For example, end device 104(B1) may connect with mesh router 102(B) over wireless link 110(B1). End device 104(B1) may be affiliated with mesh router 102(B) if the personal administrator of mesh router 102(B) knows or otherwise trusts the owner/operator of end device 104(B1).
At block 1002, the affiliated mesh router issues an end device certificate, which is signed by the mesh router certificate of the affiliated mesh router, to the end device. For example, mesh router 102(B) may use its associated certificate 202(B) to sign a certificate 202(B1) that is issued to end device 104(B1). Both of the certificates, certificate 202(B) and certificate 202(B1), may be provided via wireless link 110(B1) from mesh router 102(B) to end device 104(B1).
At block 1006, the end device certificate and the mesh router certificate are stored by the end device. For example, certificate 202(B1) and certificate 202(B) may be stored by end device 104(B1). At block 1008, the end device moves to a new location. For example, after disconnecting from mesh router 102(B), end device 104(B1) may move from being within range of mesh router 102(B) to being within range of mesh router 102(E). As indicated by the asterisk(*), this is an optional action inasmuch as end device 104(B1) may be within range of, and capable of wirelessly communicating with, both of mesh routers 102(B) and 102(E) from a single location.
At block 1010, the end device connects with a neighborhood (but non-affiliated) mesh router. For example, end device 104(B1) may connect with mesh router 102(E) over wireless link 110(E/B1). Mesh router 102(E) is a member of the same neighborhood as that of mesh router 102(B), to which end device 104(B1) is affiliated. In other words, both of mesh router 102(B) and mesh router 102(E) have designated the same neighborhood administrator 404 in mesh router 102(C).
At block 1012, the end device provides both the end device certificate and the mesh router certificate that was used to sign the end device certificate to the non-affiliated neighborhood mesh router. For example, end device 104(B1) may provide certificate 202(B1) and certificate 202(B) to mesh router 102(E). Alternatively, if mesh router 102(E) has stored a copy of an associated certificate 202 for each mesh router 102 in its neighborhood, end device 104(B1) may merely send certificate 202(B1) and an identifier of mesh router 102(B), which identifier may be included in certificate 202(B1), to mesh router 102(E).
At block 1014, the neighborhood mesh router ascertains if the mesh router associated with the mesh router certificate is a neighborhood member. For example, mesh router 102(E) may access a neighborhood members data structure 902 to ascertain if there is an entry thereof that is directed to/includes mesh router 102(B). If not, then at block 1020 the neighborhood mesh router grants the end device standard access. For example, mesh router 102(E) may grant standard access to end device 104(B1).
If, on the other hand, the neighborhood mesh router does ascertain that the mesh router associated with the mesh router certificate is a neighborhood member (at block 1014), then the method continues at block 1016. At block 1016, the neighborhood mesh router determines whether the end device certificate is valid. For example, mesh router 102(E) may analyze certificate 202(B1), possibly in conjunction with an analysis of certificate 202(B), to determine whether certificate 202(B1) was issued by a private key 206(B) of a legitimate mesh router 102(B). This analysis may involve at least one public key 204(B) operation for a signature verification procedure on a signature of certificate 202(B1).
If it is not determined that the end device certificate is valid (at block 1016), then standard access is granted to the end device by the neighborhood mesh router at block 1020. If, on the other hand, the neighborhood mesh router does determine that the end device certificate is valid (at block 1016), then the method continues at block 1018. At block 1018, the neighborhood mesh router grants preferred access to the end device. For example, mesh router 102(E) may grant preferred access to end device 104(B1). This exemplary method thus implements end device recognition in a wireless mesh network such that an end device may receive privileged access from a non-affiliated mesh router that is a member of the same neighborhood as the mesh router to which the end device is affiliated.
As illustrated, mesh router “C” 102(C) is indicated at 404C as a neighborhood administrator for a first neighborhood. Mesh router 102(B) is a member of the first neighborhood of mesh router 102(C). A mesh router “G” 102(G) is indicated at 404G as a neighborhood administrator for another second neighborhood. A mesh router 102(F) is a member of the second neighborhood of mesh router 102(G). Mesh router 102(F) has designated mesh router “G” as neighborhood administrator at 406F. Mesh router 102(F) is associated with a certificate 202(F), and mesh router 102(G) is associated with a certificate 202(G).
In a described implementation, neighborhood administrators 404C and 404G for mesh routers 102(C) and 102(G), respectively, have agreed to reciprocity recognition 1102. In other words, each of mesh router 102(C) and mesh router 102(G) have agreed to specially recognize end devices 104 that are affiliated with each other's member mesh routers 102. Alternatively, the recognition agreement may be unilateral instead of reciprocal and bilateral.
Mesh router 102(G) is in communication with mesh router 102(F) over wireless link 108FG. Over wireless link 108FG mesh router 102(G) sends a trust mesh router “C” message 1104 to mesh router 102(F). In other words, mesh router 102(G) is asserting that mesh router 102(C) operates a good and/or trustworthy neighborhood. Mesh router 102(G) is also instructing mesh router 102(F) to specially recognize end devices 104 that are affiliated with mesh routers 102 of the neighborhood of mesh router 102(C) in order to fulfill obligations of being a proper mesh router 102 in the neighborhood of mesh router 102(G).
Mesh router 102(F) includes a data structure 1106 that lists or enumerates neighborhood administrators that are to be trusted. Responsive to the trust mesh router “C” message 1104, mesh router 102(F) adds an entry that includes/identifies mesh router “C” [102(C)]. Data structure 1106 may also include additional entries as indicated by the ellipses. Furthermore, trusted neighborhood administrators data structure 1106 may also be combined with other data structures, including those described otherwise herein. Although not so illustrated in
In a described implementation, at time T=X, end device 104(B1) is in communication with mesh router 102(B) over wireless link 110(B1). End device 104(B1) is associated with and includes certificate 202(B1) as signed by certificate 202(B), which is also stored by end device 104(B1). Mesh router 102(B) also provides end device 104(B1) with a membership certificate 202(CB) that is signed by certificate 202(C). Membership certificate 202(CB) and certificate 202(C) are provided to mesh router 102(B) from mesh router 102(C).
Digital certificates can also be used to certify that an entity has a particular attribute(s). Certificates that represent that an entity has a certain attribute are called attribute certificates. When the attribute is membership, the attribute certificate may be termed a membership certificate. Membership certificate 202(CB) represents that mesh router 102(B) is a member of the neighborhood of mesh router 102(C). Membership certificate 202(CB) is signed with certificate 202(C) by mesh router 102(C), which is neighborhood administrator 404C.
At time T=X+1, end device 104(B1) moves from being in range of mesh router 102(B) of the neighborhood of mesh router 102(C) to being in range of mesh router 102(F) of the neighborhood of mesh router 102(G). Mesh router 102(F) and end device 104(B1) establish a connection over wireless link 110(F/B1). Over wireless link 110(F/B1), end device 104(B1) transmits certificate 202(B1), certificate 202(B), membership certificate 202(CB), and certificate 202(C) to mesh router 102(F). In an alternative implementation, membership certificate 202(CB) and/or certificate 202(C) may be provided to mesh router 102(F) from mesh router 102(G).
Mesh router 102(F) uses certificate 202(B1) and certificate 202(B) to ensure that end device 104(B1) is a valid mesh router 102 that is in fact affiliated with mesh router 102(B) via signature verification procedures. Mesh router 102(F) uses membership certificate 202(CB) and certificate 202(C) to ensure that mesh router 102(B) is in fact a member of the neighborhood of mesh router 102(C).
After accessing trusted neighborhood administrators data structure 1106 and locating an entry including/directed to mesh router “C” [102(C)], mesh router 102(F) determines that end devices 104 that are affiliated with mesh routers 102 that are members of the neighborhood of mesh router 102(C) are to be granted specialized recognition. Accordingly, mesh router 102(F) grants end device 104(B1) special recognition. For example, end device 104(B1) may be entitled to preferred access status.
With reference to
The routers, devices, actions, aspects, features, components, etc. of
Exemplary operating environment 1200 is only one example of an environment and is not intended to suggest any limitation as to the scope of use or functionality of the applicable device (including computer, network node such as, a router or end device, entertainment device, mobile appliance, general electronic device, etc.) architectures. Neither should operating environment 1200 (or the devices thereof) be interpreted as having any dependency or requirement relating to any one or to any combination of components as illustrated in
Additionally, mesh network implementations may be realized with numerous other general purpose or special purpose device (including computing or wireless system) environments or configurations. Examples of well known devices, systems, environments, and/or configurations that may be suitable for use include, but are not limited to, personal computers, server computers, thin clients, thick clients, personal digital assistants (PDAs) or mobile telephones, watches, hand-held or laptop devices, multiprocessor systems, microprocessor-based systems, set-top boxes, programmable consumer electronics, video game machines, game consoles, portable or handheld gaming units, network PCs, minicomputers, mainframe computers, wired or wireless network nodes (including general or specialized routers), distributed or multi-processing computing environments that include any of the above systems or devices, some combination thereof, and so forth.
Realizations for mesh network implementations may be described in the general context of processor-executable instructions. Generally, processor-executable instructions include routines, programs, modules, protocols, objects, interfaces, components, data structures, etc. that perform and/or enable particular tasks and/or implement particular abstract data types. Mesh network implementations, as described in certain embodiments herein, may also be practiced in distributed processing environments where tasks are performed by remotely-linked processing devices that are connected through a communications link and/or network. Especially but not exclusively in a distributed computing environment, processor-executable instructions may be located in separate storage media, executed by different processors, and/or propagated over transmission media.
Exemplary operating environment 1200 includes a general-purpose computing device in the form of a computer 1202, which may comprise any (e.g., electronic) device with computing/processing capabilities. The components of computer 1202 may include, but are not limited to, one or more processors or processing units 1204, a system memory 1206, and a system bus 1208 that couples various system components including processor 1204 to system memory 1206.
Processors 1204 are not limited by the materials from which they are formed or the processing mechanisms employed therein. For example, processors 1204 may be comprised of semiconductor(s) and/or transistors (e.g., electronic integrated circuits (ICs)). In such a context, processor-executable instructions may be electronically-executable instructions. Alternatively, the mechanisms of or for processors 1204, and thus of or for computer 1202, may include, but are not limited to, quantum computing, optical computing, mechanical computing (e.g., using nanotechnology), and so forth.
System bus 1208 represents one or more of any of many types of wired or wireless bus structures, including a memory bus or memory controller, a point-to-point connection, a switching fabric, a peripheral bus, an accelerated graphics port, and a processor or local bus using any of a variety of bus architectures. By way of example, such architectures may include an Industry Standard Architecture (ISA) bus, a Micro Channel Architecture (MCA) bus, an Enhanced ISA (EISA) bus, a Video Electronics Standards Association (VESA) local bus, a Peripheral Component Interconnects (PCI) bus also known as a Mezzanine bus, some combination thereof, and so forth.
Computer 1202 typically includes a variety of processor-accessible media. Such media may be any available media that is accessible by computer 1202 or another (e.g., electronic) device, and it includes both volatile and non-volatile media, removable and non-removable media, and storage and transmission media.
System memory 1206 includes processor-accessible storage media in the form of volatile memory, such as random access memory (RAM) 1210, and/or non-volatile memory, such as read only memory (ROM) 1212. A basic input/output system (BIOS) 1214, containing the basic routines that help to transfer information between elements within computer 1202, such as during start-up, is typically stored in ROM 1212. RAM 1210 typically contains data and/or program modules/instructions that are immediately accessible to and/or being presently operated on by processing unit 1204.
Computer 1202 may also include other removable/non-removable and/or volatile/non-volatile storage media. By way of example,
The disk drives and their associated processor-accessible media provide non-volatile storage of processor-executable instructions, such as data structures, program modules, and other data for computer 1202. Although exemplary computer 1202 illustrates a hard disk 1216, a removable magnetic disk 1220, and a removable optical disk 1224, it is to be appreciated that other types of processor-accessible media may store instructions that are accessible by a device, such as magnetic cassettes or other magnetic storage devices, flash memory, compact disks (CDs), digital versatile disks (DVDs) or other optical storage, RAM, ROM, electrically-erasable programmable read-only memories (EEPROM), and so forth. Such media may also include so-called special purpose or hard-wired IC chips. In other words, any processor-accessible media may be utilized to realize the storage media of the exemplary operating environment 1200.
Any number of program modules (or other units or sets of instructions/code) may be stored on hard disk 1216, magnetic disk 1220, optical disk 1224, ROM 1212, and/or RAM 1210, including by way of general example, an operating system 1228, one or more application programs 1230, other program modules 1232, and program data 1234. Such instructions may include module(s) for joining and participating in a wireless mesh network, module(s) for implementing exclusion mechanisms, module(s) for extending the PKI onto the end device tier, mapping data structure(s), and so forth.
A user may enter commands and/or information into computer 1202 via input devices such as a keyboard 1236 and a pointing device 1238 (e.g., a “mouse”). Other input devices 1240 (not shown specifically) may include a microphone, joystick, game pad, satellite dish, serial port, scanner, and/or the like. These and other input devices are connected to processing unit 1204 via input/output interfaces 1242 that are coupled to system bus 1208. However, input devices and/or output devices may instead be connected by other interface and bus structures, such as a parallel port, a game port, a universal serial bus (USB) port, an infrared port, an IEEE 1394 (“Firewire”) interface, an IEEE 802.11 or other general wireless interface, a Bluetooth® wireless interface, and so forth.
A monitor/view screen 1244 or other type of display device may also be connected to system bus 1208 via an interface, such as a video adapter 1246. Video adapter 1246 (or another component) may be or may include a graphics card for processing graphics-intensive calculations and for handling demanding display requirements. Typically, a graphics card includes a graphics processing unit (GPU), video RAM (VRAM), etc. to facilitate the expeditious display of graphics and the performance of graphics operations. In addition to monitor 1244, other output peripheral devices may include components such as speakers (not shown) and a printer 1248, which may be connected to computer 1202 via input/output interfaces 1242.
Computer 1202 may operate in a networked environment using logical connections to one or more remote computers, such as a remote computing device 1250. By way of example, remote computing device 1250 may be a personal computer, a portable computer (e.g., laptop computer, tablet computer, PDA, mobile station, etc.), a palm or pocket-sized computer, a watch, a gaming device, a server, a router, a network computer, a peer device, another network node, or another device type as listed above, and so forth. However, remote computing device 1250 is illustrated as a portable computer that may include many or all of the elements and features described herein with respect to computer 1202.
Logical connections between computer 1202 and remote computer 1250 are depicted as a local area network (LAN) 1252 and a general wide area network (WAN) 1254. Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets, the Internet, fixed and mobile telephone networks, ad-hoc and infrastructure wireless networks, other wireless networks, gaming networks, some combination thereof, and so forth. Such networks and communications connections are examples of transmission media.
When implemented in a LAN networking environment, computer 1202 is usually connected to LAN 1252 via a network interface or adapter 1256. When implemented in a WAN networking environment, computer 1202 typically includes a modem 1258 or other component for establishing communications over WAN 1254. Modem 1258, which may be internal or external to computer 1202, may be connected to system bus 1208 via input/output interfaces 1242 or any other appropriate mechanism(s). It is to be appreciated that the illustrated network connections are exemplary and that other manners for establishing communication link(s), including wireless link(s), between computers 1202 and 1250 may be employed.
In a networked environment, such as that illustrated with operating environment 1200, program modules or other instructions that are depicted relative to computer 1202, or portions thereof, may be fully or partially stored in a remote media storage device. By way of example, remote application programs 1260 reside on a memory component of remote computer 1250 but may be usable or otherwise accessible via computer 1202. Also, for purposes of illustration, application programs 1230 and other processor-executable instructions such as operating system 1228 are illustrated herein as discrete blocks, but it is recognized that such programs, components, and other instructions reside at various times in different storage components of computing device 1202 (and/or remote computing device 1250) and are executed by processor(s) 1204 of computer 1202 (and/or those of remote computing device 1250).
Although systems, media, routers, devices, methods, procedures, apparatuses, techniques, APIs, schemes, approaches, procedures, arrangements, and other implementations have been described in language specific to structural, logical, algorithmic, and functional features and/or diagrams, it is to be understood that the invention defined in the appended claims is not necessarily limited to the specific features or diagrams described. Rather, the specific features and diagrams are disclosed as exemplary forms of implementing the claimed invention.
Bahl, Paramvir, Simon, Daniel R., Wang, Helen Jiahe
Patent | Priority | Assignee | Title |
10212141, | May 04 2016 | NXP USA, INC | Autonomous key update mechanism with blacklisting of compromised nodes for mesh networks |
10277564, | May 04 2016 | NXP USA, INC | Light-weight key update mechanism with blacklisting based on secret sharing algorithm in wireless sensor networks |
11650084, | Mar 31 2004 | ALARM COM INCORPORATED | Event detection using pattern recognition criteria |
7929914, | Mar 31 2004 | ALARM COM INCORPORATED | Mote networks using directional antenna techniques |
7941188, | Mar 31 2004 | ALARM COM INCORPORATED | Occurrence data detection and storage for generalized sensor networks |
8161097, | Mar 31 2004 | ALARM COM INCORPORATED | Aggregating mote-associated index data |
8200744, | Mar 31 2004 | ALARM COM INCORPORATED | Mote-associated index creation |
8239915, | Jun 30 2006 | CA, INC | Endpoint management using trust rating data |
8271449, | Jul 30 2004 | ALARM COM INCORPORATED | Aggregation and retrieval of mote network data |
8275824, | Jul 30 2004 | ALARM COM INCORPORATED | Occurrence data detection and storage for mote networks |
8335814, | Mar 31 2004 | ALARM COM INCORPORATED | Transmission of aggregated mote-associated index data |
8346846, | May 12 2004 | ALARM COM INCORPORATED | Transmission of aggregated mote-associated log data |
8352420, | Jun 25 2004 | ALARM COM INCORPORATED | Using federated mote-associated logs |
8543809, | Sep 06 2007 | Siemens Aktiengesellschaft | Method for misbehaviour detection in secure wireless mesh networks |
8726391, | Oct 10 2008 | NORTONLIFELOCK INC | Scheduling malware signature updates in relation to threat awareness and environmental safety |
9021576, | Aug 10 2007 | Canon Kabushiki Kaisha | Apparatus and method for sharing of an encryption key in an ad-hoc network |
9062992, | Jul 27 2004 | ALARM COM INCORPORATED | Using mote-associated indexes |
9261383, | Jul 30 2004 | ALARM COM INCORPORATED | Discovery of occurrence-data |
Patent | Priority | Assignee | Title |
5220604, | Sep 28 1990 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Method for performing group exclusion in hierarchical group structures |
5434863, | Aug 30 1991 | Hitachi, Ltd. | Internetworking apparatus for connecting plural network systems and communication network system composed of plural network systems mutually connected |
5548728, | Nov 04 1994 | Canon Kabushiki Kaisha | System for reducing bus contention using counter of outstanding acknowledgement in sending processor and issuing of acknowledgement signal by receiving processor to indicate available space in shared memory |
5580177, | Mar 29 1994 | HEWLETT-PACKARD DEVELOPMENT COMPANY, L P | Printer/client network with centrally updated printer drivers and printer status monitoring |
5613096, | Nov 04 1994 | Canon Kabushiki Kaisha | Network protocol sensor |
6389532, | Apr 20 1998 | Oracle America, Inc | Method and apparatus for using digital signatures to filter packets in a network |
6397260, | Mar 08 1999 | Hewlett Packard Enterprise Development LP | Automatic load sharing for network routers |
6397329, | Nov 21 1997 | TUMBLEWEED HOLDINGS LLC | Method for efficiently revoking digital identities |
6425004, | Feb 24 1999 | RPX CLEARINGHOUSE LLC | Detecting and locating a misbehaving device in a network domain |
6788648, | Apr 24 2001 | ATITANIA LTD | Method and apparatus for load balancing a distributed processing system |
6853988, | Sep 20 1999 | Security First Innovations, LLC | Cryptographic server with provisions for interoperability between cryptographic systems |
6879574, | Jun 24 2002 | Nokia Technologies Oy | Mobile mesh Ad-Hoc networking |
6917985, | Mar 10 2000 | Regents of the University of California, The | Core assisted mesh protocol for multicast routing in ad-hoc Networks |
7047409, | Jun 09 2000 | Northrop Grumman Systems Corporation | Automated tracking of certificate pedigree |
7096359, | Mar 01 2001 | CINCINNATI, UNIVERSITY OF | Authentication scheme for ad hoc and sensor wireless networks |
7181614, | Oct 27 1999 | CLUSTER, LLC; Optis Wireless Technology, LLC | Method and arrangement in a communication network |
7286489, | Oct 10 2000 | Intel Corporation | Communications meshes |
7308574, | Feb 28 2002 | International Business Machines Corporation | Method and system for key certification |
7317914, | Sep 24 2004 | Microsoft Technology Licensing, LLC | Collaboratively locating disconnected clients and rogue access points in a wireless network |
7382762, | Jul 08 2003 | Samsung Electronics Co., Ltd.; SAMSUNG ELECTRONICS CO LTD | Method and system for distributed certificate management in ad-hoc networks |
20020053020, | |||
20020124169, | |||
20020162018, | |||
20030149874, | |||
20030235175, | |||
20040015689, | |||
20040103275, | |||
20040139022, | |||
20040190468, | |||
20050027778, | |||
20050191990, |
Executed on | Assignor | Assignee | Conveyance | Frame | Reel | Doc |
Dec 16 2003 | SIMON, DANIEL R | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 014821 | /0328 | |
Dec 16 2003 | BAHL, PARAMVIR | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 014821 | /0328 | |
Dec 16 2003 | WANG, HELEN JIAHE | Microsoft Corporation | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 014821 | /0328 | |
Dec 17 2003 | Microsoft Corporation | (assignment on the face of the patent) | / | |||
Oct 14 2014 | Microsoft Corporation | Microsoft Technology Licensing, LLC | ASSIGNMENT OF ASSIGNORS INTEREST SEE DOCUMENT FOR DETAILS | 034541 | /0477 |
Date | Maintenance Fee Events |
Mar 03 2010 | ASPN: Payor Number Assigned. |
Mar 18 2013 | M1551: Payment of Maintenance Fee, 4th Year, Large Entity. |
Aug 03 2017 | M1552: Payment of Maintenance Fee, 8th Year, Large Entity. |
Oct 04 2021 | REM: Maintenance Fee Reminder Mailed. |
Mar 21 2022 | EXP: Patent Expired for Failure to Pay Maintenance Fees. |
Date | Maintenance Schedule |
Feb 16 2013 | 4 years fee payment window open |
Aug 16 2013 | 6 months grace period start (w surcharge) |
Feb 16 2014 | patent expiry (for year 4) |
Feb 16 2016 | 2 years to revive unintentionally abandoned end. (for year 4) |
Feb 16 2017 | 8 years fee payment window open |
Aug 16 2017 | 6 months grace period start (w surcharge) |
Feb 16 2018 | patent expiry (for year 8) |
Feb 16 2020 | 2 years to revive unintentionally abandoned end. (for year 8) |
Feb 16 2021 | 12 years fee payment window open |
Aug 16 2021 | 6 months grace period start (w surcharge) |
Feb 16 2022 | patent expiry (for year 12) |
Feb 16 2024 | 2 years to revive unintentionally abandoned end. (for year 12) |